In a two-tier hierarchy CA design, what is a common security best practice?